On Thu, Dec 02, 2010 at 09:09:51AM +0100, Ana Gallardo wrote:
Add LDAP into the authenticate section, so that it simply tries to re-bind with the provided credentials? Like this:
Auth-Type LDAP { ldapPerson }
I try this configuration too, but it doesn't work for me. Freeradius doesn't set the value to Auth-Type attribute. I thik that this is because the userPassword attribute is only visible to each particular user when binds.
This is an orthogonal issue; you don't have to allow anyone to read the value of the userPassword attribute, you just have to get the FR ldap module to *bind* to the LDAP server with the username and password from the request. Then the LDAP server verifies it against whatever it needs in the background, and you don't care.
# Executing section authorize from file /etc/freeradius/sites-enabled/test +- entering group authorize {...} [ldapPerson] bind as / to ldap.unex.es:389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful
This is log output for an anonymous bind in authorize section ("bind as / to" means "bind as <no user>/<no password>"). What is the output for the authenticated bind, that happens in the authenticate section? -- 2. That which causes joy or happiness.